All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does decrypt work in distributed search environments?

ltawfall
Path Finder
‎09-25-2015 10:20 AM

I can get this app to work fine, if I'm running in locally on an indexer. But not from a distributed search head.

index=_internal | decrypt field=sourcetype hex() emit('sourcetype')

Corresponding Errors:

[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.
[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.
[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.
[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.

Works when I go to each indexer and run the command but not from the search head.

I basically looking for any app/script that will do base64 decoding from a distributed set up. Thus far I can seem to find one.

Thanks,
Lisa

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-25-2015 03:35 PM

This app is missing a setting within the commands.conf. Add the following settings to decrypt/default/commands.conf local = true. If local=true, specifies that the command should be run on the search head only. The default is false. This should fix the issue.

Example commands.conf:

[decrypt]
filename = decrypt.py
streaming = true
# setting missing from
local = true

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-25-2015 03:35 PM

This app is missing a setting within the commands.conf. Add the following settings to decrypt/default/commands.conf local = true. If local=true, specifies that the command should be run on the search head only. The default is false. This should fix the issue.

Example commands.conf:

[decrypt]
filename = decrypt.py
streaming = true
# setting missing from
local = true
Reply
Solved! Jump to solution

ltawfall
Path Finder
‎09-25-2015 07:55 PM

Yep, that totally did it. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...